By all (online) accounts, Mia Ash was a pretty and successful photographer based in London, and she was looking for friendship and love on the Internet.
Her LinkedIn account told a story of a dedicated and knowledgeable professional with over 500 connections (many from well known photographers), her Instagram and Blogger accounts showed a myriad of great photos, and her Facebook account painted a picture of a popular young woman.
But unfortunately for those who believed her to be a real person, she does not actually exist – the illusion that she does was meticulously created by hackers.
The APT group behind Mia Ash
These hackers were not after money, but secrets, and the victims that “Mia” so easily befriended were mostly mid-level employees in technical (mechanical and computer) or project management roles in companies in the Middle East and North Africa.
SecureWorks researchers believe that the “Mia Ash” persona was used by a group they nicknamed Cobalt Gypsy, associated with Iranian government-directed cyber operations, for the express purpose to exploit those contacts to breach their employer’s networks.
“Mia” would reach out to the victims via LinkedIn, asking a question or two about photography, and would keep talking to them via Facebook, WhatsApp and email about all sorts of subjects, slowly creating a rapport that bred familiarity and trust.
After a month or so of everyday exchanges, “Mia” would ask for a favor: “Can you open this file I sent you on your work computer?” The pretext was, of course, less suspicious, as Mia asked the victim to participate in an photography survey by filling out an Excel sheet containing the questions.
“Mia encouraged the victim to open the email at work using their corporate email account so the survey would function properly,” the researchers explained. And the victims complied: they opened the file, enabled macros in order to view the content, and let the hackers in, as the macros downloaded PupyRAT, an open source cross-platform remote access trojan.
Most of the victims should have known better than to open such a file and enable macros on a computer on the corporate network, but the fact that they did demonstrates how effective many social engineering tactics are.
To be fair, the attackers did a good job in creating extremely convincing online accounts, populated with content stolen from legitimate photographers and professionals, and by choosing to make the fake persona a young, attractive woman.
SecureWorks says Mia’s accounts were online for roughly a year, but have disappeared in early 2017. In that year, “she” had successfully tricked many a victim.
Social engineering is a good bet for hackers
The researchers have been tracking multiple Cobalt Gypsy campaigns since 2015, and have witnessed the group launching espionage campaigns against organizations that are of strategic, political, or economic importance to Iranian interests.
“The use of the Mia Ash persona demonstrates the creativity and persistence that threat actors employ to compromise targets,” they noted, and added that Mia Ash is likely one of many personas managed by the threat actor.
“Cobalt Gypsy’s continued social media use reinforces the importance of recurring social engineering training,” they also pointed out.
“Organizations must provide employees with clear social media guidance and instructions for reporting potential phishing messages received through corporate email, personal email, and social media platforms. Guidance should include recommendations for reporting inquiries by an unknown third party about an employer, business systems, or the corporate network, or requests to perform actions such as opening a document or visiting a website.”